A message from Tim Sutherland of the Ruby Weekly News. He alerts us to an hack in which Ruby’s $SAFE is set to zero inside the PL/Ruby module for PostgreSQL (which allows one to write Ruby inside stored procedures.) This means: anything.

But more specifically:

  SELECT redcloth('*strong text* and _emphasized text_');

The culprit here is Robby Russell. You bandits lick this stuff up like it’s perfumed peanut butter. The DRb jammed inside Postgres example is v. funny. He gives a good case for using RedCloth inside PostgreSQL—so he can use it from PHP. It works better than Parrot I guess. SQLite will let you hook Ruby methods like this as well. (Disclaimer: I am not on the board of advisors for Parrot.)